CVE-2018-20725

low-risk

Published 2019-01-16

A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.

Do I need to act?

0.50% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.8/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Cacti

Affected Vendors

Cacti

References (14)

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html

Release Notes https://github.com/Cacti/cacti/blob/develop/CHANGELOG

Patch https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d

Exploit https://github.com/Cacti/cacti/issues/2214

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html

Release Notes https://github.com/Cacti/cacti/blob/develop/CHANGELOG

Patch https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d

Exploit https://github.com/Cacti/cacti/issues/2214

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal